The invention relates generally to telecommunications access control systems and particularly to a telephony security system for controlling and logging access between end-user stations and their respective circuits into the public switched telephone network (PSTN).
xe2x80x9cPolicy-based security managementxe2x80x9d refers to the application of a governing set of rules at strategically located points (chokepoints) for the purpose of enforcing security boundaries between two or more networks, such that only those events meeting certain criteria may pass between them, while all other events are denied passage. For network operations, this filtering process selectively discards packets in order to control access to a network, or to resources such as files and devices. Variations and improvements of this basic theme have resulted in devices known as firewalls todayxe2x80x94network components that provide a security barrier between networks or network segments. Much like a guard at a checkpoint, the firewall strictly enforces rules specified within an established policy for what shall pass on a case-by-case basis. The policy may alternatively dictate that other actions may apply as well, such as logging the event and/or sending an urgent electronic mail message notifying appropriate personnel of the event.
Security professionals consider firewalls to be essential in the protection of an enterprise""s private network or virtual private network from access to computers by unauthorized personnel or xe2x80x9chackers,xe2x80x9d Like any security measure, however, firewalls are not foolproof. Firewalls provide no protection for traffic routed around them, as is often the case when modems are used while connected to internal networks i.e., circumvention of the firewall through unprotected channels, such as through telephone lines or extensions normally used for voice or fax. Clearly, there is a need for a system and method for controlling access to an enterprise""s network through telephony resources that otherwise cannot be sufficiently protected by traditional firewall technology.
In addition to security needs relevant to computer networks, there are issues in the toll fraud, phone misuse, call accounting and bill reconciliation arenas that warrant similar protections. Currently, a need exists to address the full spectrum of security issues across an enterprise that may span the entire globe. A need exists for a scalable and manageable system and a method for controlling and logging access to an enterprise""s telephony resources.
The present invention, accordingly, provides a system and method for performing security access control functions for an enterprise""s telephone circuits between end-user stations and their respective circuits into the public switched telephone network (PSTN). In the most basic configuration, inbound and outbound calls are allowed or denied (i.e., blocked or xe2x80x9chung-upxe2x80x9d) according to a rule-set that is managed by a security administrator. In one aspect, the system combines call-progress monitoring, caller-ID (CND) and/or automatic number identification (ANI) decoding, digital line protocol reception and decoding, pulse dial detection, and tone detection (DTMF and MF) with microprocessor control, access-control logic, and call-interrupt circuitry.
The system and method of the present invention performs centrally managed, enterprise-wide enforcement of an enterprise""s telephony security policy and real-time notification in selected instances of attempted security breaches. The system utilizes a specialized device to monitor and control access to every telephone station, fax machine, and modem line within the enterprise that is routed through the device.
Specific attributes identified by the control device pertaining to all inbound and outbound calls determine whether certain calls, in accordance with a predefined security policy, are allowed, denied (xe2x80x9chung-upxe2x80x9d), logged, and/or initiate additional actions such as email or pager notification. Attributes captured by the device include, as examples: station extension; inbound caller-ID information (when available); outbound number dialed; call-type (i.e., fax, modem, or voice); keywords via voice-recognition, demodulated modem and/or fax data; and time and date stamp.
The rule-set for control of call traffic by the device defines a security policy that governs how telephones may be used within the enterprise. Each rule, upon meeting certain criteria, initiates appropriate security action(s).
In one embodiment, a system and method of telephony security is provided that controls call access into and out of the enterprise on a per line (station extension or trunk line) basis. A security policy, i.e., a set of access rules, are defined for each of the ports; the rules specifying actions to be taken based upon at least one attribute of the call present on the line. In this embodiment, calls are tracked and sensed on a per line basis, extracting specific attributes that are available at the time of the call. Actions are then performed based upon the detected call""s attributes in accordance with the security policy that applies to that line.